Friday, February 27, 2009

I’ve written about harassment and about identity theft, but this post is about something different: A’s using B’s identity (without permission) to harass C.

I recently discovered that at least two states -- Arkansas and Massachusetts -- make this a crime, i.e., make identity theft harassment a crime.

The Arkansas identity theft harassment statute provides as follows:

A person commits nonfinancial identity theft if he or she knowingly obtains another person’s identifying information without the other person’s authorization and uses the identifying information for any unlawful purpose, including . . . [t]o harass another person.

The Massachusetts statute makes it a crime for someone “with intent to defraud” to pose “as another person without the express authorization of that person” and use “such person's personal identifying information to . . . harass another”. Massachusetts General Laws Annotated 266 § 37E.

I can’t find any other states with laws like these (though I could have missed some). And I can’t find any prosecutions that have been brought under these statutes, so I’m left to speculate as to precisely what they criminalize and why they’re necessary.

In analyzing those issues, we’ll use the hypothetical noted above: A uses B’s identity without B’s permission to harass C.

If the evidence proves that A harassed C, then the use of B’s identity would, I think, be irrelevant to the process of prosecuting A for harassment. I don’t see why A’s using B’s identity to carry out the harassment would in any way prevent A’s being prosecuted for harassment. As I’ve noted before, the crime of harassment consists of engaging in a course of conduct (persistent behavior) that is intended to and does either cause the victim substantial emotional distress or cause the victim to be annoyed, harassed and alarmed. (Some harassment statutes are based on inflicting emotional distress, others are based on harassing, annoying and alarming the victim.) If A did that, then I don’t see how his use of B’s identity is relevant to the viability of this charge.

I think what the statutes are concerned with is the fact that if A uses B’s identity to harass C, we have two victims (B and C), the harm to only one of which (C) can be redressed with existing criminal law. As I noted above, A can clearly be prosecuted for – and convicted of – harassing C if his conduct otherwise satisfies the elements of the crime of harassment (intentionally inflicting emotional distress on or harassing, annoying and alarming C).

The problem is that most identity theft statutes can’t be used to prosecute A for the harm he inflicted on C. As I’ve noted before, identity theft statutes define a property crime: the identity thief uses another person’s identifying information to get money or property to which he or she is not lawfully entitled. Financial identity theft crimes like the ones these statutes define are really fraud crimes; the identity thief uses his victim’s identity, without being authorized to do so, to trick financial institutions or businesses into giving him property to which he is not lawfully entitled.

Here, though, A doesn’t use B’s identity to get property he’s not entitled to, which means he can’t be prosecuted under a traditional, financial identity theft statute. The Arkansas and Massachusetts statutes define (as the Arkansas statute notes) nonfinancial identity theft . . . using someone’s identity to harass someone else. The harm inflicted on B is that his identity is used to commit a crime, which could conceivably result in B’s being held liable for the crime if A is really clever at hiding his tracks.

So what I think these statutes are doing is making sure that the harm to the intermediate victim – the person whose identity is used to harass someone else – can be prosecuted. I don’t think they are specifically based on the notion that A is, in a sense, trying to “frame” B for the harassment he’s inflicting on C. I think these statutes probably encompass that notion, but I also suspect they’re intended to encompass a broader, more nebulous harm: the corruption – the taint – that A imposes on B’s identity. By using B’s identity to commit harassment, A essentially adulterates B’s identity; he taints it with the implication of criminal conduct.

Wednesday, February 25, 2009

This post is based on an article I've been working on with one of my students. It's about cyber bullying, and the issue of gossip keeps coming up. It also comes up in the context of other online crimes like stalking and harassment.

Gossip comes up when we consider the propriety of using criminal law – crimes like stalking, harassment and defamation – to discourage people from posting certain types of information online. The constant theme in cyberbullying, stalking, harassment and online defamation is that someone (A) posts information or rumor or opinion about B and, in so doing, “harms” B.

The problem for law is the nature of the harm. As I’ve explained elsewhere, criminal law evolved to deal with what I call hard harms: tangible injury to persons and property. Since they’re tangible, those harms tend to be objective in nature; that is, law can categorically assume that if A rapes B or hits B or kills B or burns down B’s house or steals B’s car, a certain quantum of physical harm – physical damage – was inflicted. That’s important, aside from anything else, because it means the harm is objective enough that we can define crimes clearly; so we make it a crime to cause the death of another human being or steal property or burn property, etc.

Law can confidently assume that statutes like these put people on notice as to what they are not supposed to do; when people are on notice of what they’re not supposed to do but go ahead and do what is forbidden, then it’s a pretty straightforward process to hold them liable for what they did. The prosecutor has to show they had the necessary evil mind (they knew what they were doing was wrong, they purposely did what they knew was wrong, they recklessly did something that was wrong, etc.) and that they actually inflicted the prohibited harm. The harms themselves are pretty generic; that is, causing the death of any human being inflicts the same harm, as far as law is concerned. (That’s why if A fires a gun intending to kill A but kills B instead, we can still prosecute him for murder; he caused the death of a human being . . . he got the wrong one, but he still caused the death of a human being and that is the harm murder encompasses.)

That brings us to soft harms: Unlike hard harms, which involve tangible injury to persons or property, soft harms are more difficult to categorize. Essentially, they involve the infliction of some type of injury to morality, to affectivity or to a systemic concern with the safety of individuals and/or the integrity of property. So crimes like stalking and harassment often target the infliction of emotional distress, and criminal defamation often targets causing damage to someone’s reputation and/or holding them up to ridicule.

When we move into soft harms things become more complicated. We’ve all said things that could harm others in more or less serious ways, never intending that they reach the person in question. They usually do not because social mores inhibit most of us from telling A what B said about him. The idea of prosecuting someone on the basis of such conduct seems absurd, but it has been (and is being) done.

The issue of soft harm arises because the presumptive confidentiality we assume in the real-world becomes problematic online, at least when the actor posts comments on a site that is at least potentially accessible to the target of the comments. When we post irritating or malicious gossip online we publish the comments to the world. If we post comments without regard to whether the person they concern is likely to see them, we do not engage in the premeditated, focused communications that have been (and are) a defining characteristic of crimes like stalking, harassment and defamation. If our comments reach the victim, they may inflict the types of harm prohibited by harassment and stalking statutes; the problem lies in our lack of an intention to stalk, harass and/or defame the victim. We may have just been venting about the victim or engaging in the kind of gossip that is routine – and definitely not criminal – in the real, physical world.

Stalking and harassment laws are not an appropriate way to deal with this kind of behavior because they were crafted to deal with a specific type of targeted, malicious communication. Harassment and stalking often involve bombarding the victim with what would constitute gossip if it were shared with persons other than the one it concerns. It is this premeditated, malicious targeting of the victim that distinguishes simple gossip (non-criminal gossip) from harassment or stalking. When it comes to gossip, ignorance may not be bliss, but it eliminates any need to use criminal liability to control what is being said about someone.

How should we handle situations in which this malicious targeting is absent but the online circulation of gossip still inflicts harm on the person it concerns? We're dealing with a new problem, one that could not have arisen prior to the Internet. Until Internet use became common, the publication of material (gossip, rumor, news, etc.) was controlled by mainstream media: corporations engaged in disseminating content via print, radio and television signals. The material mainstream media publishes is limited by two factors: The cost involved in publication by traditional means acts as a de facto content filter; publishing material about matters of general public interest is likely to be more profitable than publishing material that will interest only a few people. The other limiting factor is the possibility of being sued (for defamation, invasion of privacy, etc.); that possibility causes mainstream media companies to rely on a cadre of professional editors, reporters and other staff, whose collective purpose is to filter content and prevent the publication of actionable material.

The mainstream media therefore (i) publishes gossip about people whose lives are likely to be of general public interest (celebrities) but (ii) does not publish gossip about non-celebrities, i.e., those whose lives will almost certainly not be of interest to the general public. This meant that prior to the Internet, non-celebrities bore little, if any, risk of having gossip about themselves circulated to a wider audience. Gossip stayed where it had always been – within the localized group comprising the individual’s co-workers, acquaintances, friends and family.

The Internet changes that. Now we all face the prospect of experiencing what was once the sole province of Hollywood celebrities: We can have our own paparazzi, whether we like it or not. Unlike professional paparazzi (who are motivated by profit), our paparazzo (or paparazzi) may be motivated by jealousy, insecurity or boredom. And unlike those who have traditionally been the targets of paparazzi, we have done nothing to inject ourselves into the public arena. We expect celebrities to shrug off the more or less accurate but usually embarrassing gossip paparazzi generate about them; but those of us who are not celebrities are outraged when our own, free-lance paparazzi do something similar to us.

Should criminal stalking and harassment laws be expanded to encompass the online circulation of gossip about private citizens? Celebrities have on occasion sought to use stalking or harassment laws against their paparazzi, but those efforts have been predicated on the trespasses and assaults paparazzi often use to obtain photographs of celebrity targets. Since physical trespasses and encounters are not an aspect of the problem we are considering, these uses of stalking and harassment cannot provide guidance for dealing with the online gossip problem.

That seems to leave us with two alternatives: One is to expand current criminal stalking or harassment laws so they encompass the generalized publication of gossip that inflicts soft harm. The other is for us to accept our newfound, and perhaps unwelcome, status as a lower case public figure, i.e., as someone whose personality, appearance, activities and/or predilections can become grist for an amateur online paparazzo (or paparazzi).

While some may find the first alternative appealing, it would be unworkable in practice and is almost certainly unconstitutional. It would be unworkable because the criminal justice system would be inundated with requests for prosecutions, most of which would be denied due to a lack of resources; rejected requests might lead the original victim to retaliate in kind, which could lead to a consequent, also likely to be rejected request for prosecution by the perpetrator-become-victim.

While prosecutions might be brought in a few particularly egregious cases, they would probably do little to discourage the online gossip phenomenon. As to the constitutional issues, expanded stalking and harassment statutes criminalizing the circulation of simple gossip should violate the First Amendment because they would bar the publication of non-defamatory content and opinion; they would probably also be held void for vagueness due to the difficulty involved in articulating what was, and was not, permissible in online commentary about someone. That leaves the second alternative, which is eminently feasible but more than a little unsatisfying. We would have to tolerate the aggravating attentions of those who choose to become our paparazzi (unless their conduct could be prosecuted under one of the theories we have yet to examine). We would have to accept the proposition that has been bandied about for more than decade: Cyberspace transforms everyone into a public figure; or, more accurately, cyberspace has the potential to transform everyone into a public figure. If some more or less deranged person decides to spread gossip about me online, I have to deal with it on my own; I can ignore it or respond in kind or, if the gossip is particularly annoying, try to have it taken off the site on which it is posted. Beyond that, there probably is nothing I can do (absent, again, the applicability of one of the theories we examine below).

While this alternative may seem unsettling and unsatisfying to us, that may not always be true. We find it unsatisfying because we are used to a world in which we have been able to ignore what is said about us, at least for the most part; I know, at some level, that my friends, colleagues and acquaintances gossip about me behind my back, but as long as I do not know what they say, I can ignore it. When what they say migrates online, it becomes difficult – if not impossible -- for me to ignore it. Since I am the product of a real-world culture which dictates that gossip is not to reach the person it concerns, I am likely to be outraged and want the perpetrators sanctioned, somehow. But that reaction may be an historical artifact, the product of a non-networked culture.

As social networking becomes more pervasive, we are likely to become more accustomed to – and more comfortable with – the fact that gossip has migrated online and can leak into wider circulation. If it simply leaks, and is not deliberately directed at the person it concerns, we may have to live with that. The pragmatic assumptions we tend to make about intentionality when gossip reaches its target in the real-world will no longer be valid, which may make the notion of holding the leaker criminally liable for what he or she has done hopelessly problematic.

Monday, February 23, 2009

On February 10, Nevada Senate Bill 125 was introduced into the Nevada legislature and then referred to the Nevada Senate Judiciary Committee.

The Committee is scheduled to discuss the bill today, February 23, 2009. Section 1 of the bill would add the following new crime to the Nevada criminal code:

1. Except as otherwise provided in this section, a person who knowingly and intentionally possesses, reads or captures the personal identifying information of another person using radio frequency identification, without that person's knowledge and prior consent, is guilty of a category C felony and shall be punished as provided in [Nevada Revised Statutes §] 193.130.

2. The provisions of this section do not prohibit the possession or use of any personal identifying information through radio frequency identification by officers of local police, sheriff and metropolitan police departments and by agents of the Investigation Division of the Department of Public Safety while engaged in undercover investigations related to the lawful discharge of their duties.

3. As used in this section, 'radio frequency identification' means the use of electromagnetic radiating waves or reactive field coupling in the radio frequency portion of the spectrum to read or communicate to or from personal identifying information through a variety of modulation and encoding schemes.

Nevada Senate Bill 125(1). The bill defines radio frequency identification as “the use of electromagnetic radiating waves or reactive field coupling in the radio frequency portion of the spectrum to read or communicate to or from personal identifying information through a variety of modulation and encoding schemes.” Nevada Senate Bill 125(3). It doesn’t seem to define “personal identifying information.”

Section 4 of Senate Bill 125 says that someone who violated § 1 of the Bill can be prosecuted for the violation “whether or not the person whose personal identifying information forms a part of the violation” is (i) “living or deceased during the course of the violation or the prosecution”; (ii) an artificial person (e.g., a corporation); or (iii) suffered financial loss or injury as a result of the violation.

Section 5 of Senate Bill 125 provides as follows:

The provisions of . . . section 1 of this act do not apply to any person who, without the intent to defraud or commit an unlawful act, possesses or uses any personal identifying information of another person:

1. In the ordinary course of his business or employment; or

2. Pursuant to a financial transaction entered into with an authorized user of a payment card who has given permission for the financial transaction.

Nevada Senate Bill 125.

The bill, as originally introduced, was the target of criticism from the Electronic Frontier Foundation and other sources because it does not explicitly exempt legitimate security researchers from liability for violating § 1. According to an article in The Register, the bill’s sponsor – State Senator Parks – says he intends to introduce an amendment on Monday that would specifically exempt legitimate researchers from liability for violating § 1.

The Nevada bill isn’t the only legislation on this issue. A California statute added by 2008 legislation makes it a crime for a “person or entity” to “intentionally remotely read[] or attempt[] to remotely read a person’s identification document using radio frequency identification (RFID), for the purpose of reading that person’s identification document without that person’s prior consent”. California Civil Code § 1798.79(a). A related statute defines “radio frequency identification” as “the use of electromagnetic radiating waves or reactive field coupling in the radio frequency portion of the spectrum to communicate to or from an identification document through a variety of modulation and encoding schemes.” California Civil Code § 1798.795(e).

The same statute defines an identification document as “any document containing data that is issued to an individual and which that individual, and only that individual, uses alone or in conjunction with any other information for the primary purpose of establishing his or her identity.” California Civil Code § 1798.795(c). A violation of § 1798.79(a is punishable “by imprisonment in a county jail for up to one year, a fine of not more than one thousand five hundred dollars . . . or both”. California Civil Code § 1798.79(a).

And last year, Washington also adopted a statute that makes it a felony to intentionally possess, or read or capture remotely “using radio waves, information contained on another person’s identification document, including the unique personal identifier number encoded on the identification document, without that person’s knowledge or consent.” Washington Revised Code § 9A.58.020(1). The Washington statute also says this section – the section that defines the crime – does not apply to a “person or entity” that

(i) “reads an identification document to facilitate border crossing”;(ii) “reads a person's identification document in the course of an act of good faith security research . . . or scientific inquiry including . . . activities useful in identifying and analyzing security flaws and vulnerabilities”; or (iii) “unintentionally reads an identification document remotely in the course of operating its own radio frequency identification system, provided that the inadvertently received information is not disclosed to any other person, is not used for any purpose and is not stored or is promptly destroyed.”

The California and Washington statutes seem to be narrower in focus than the proposed Nevada legislation: They make it a crime to use RFID technology to remotely read an “identification document.” Washington defines such a document very narrowly, while California defines it more broadly; the constant in both statutes, though, is to read an “identification document.” The Nevada statute is at least potentially broader in its scope, since it focuses on using RFID technology to obtain “personal identifying information.”

As long as legislation like this exempts legitimate researchers and other legitimate uses of RFID technology, I really don’t see that it’s problematic in terms of privacy or criminal law concerns. The purpose, of course, is to help protect our privacy in an era in which communication technology becomes increasingly embedded in various aspects of our lives . . . invisibly embedded, which may make it harder for us to keep track of it and protect it. These statutes seem to do this, and they seem to do it by focusing on the data, instead of the technology.

A law review article argues that this is the appropriate approach for preventing RFID-predicated invasions of data privacy because it is less likely to interfere with the development and implementation of RFID technology. See Justin M. Schmidt. RFID and Privacy: Living in Perfect Harmony, 34 Rutgers Computer and Technology Law Journal 247 (2007).

Thursday, February 19, 2009

In this post, I’m going to take issue (a bit) with some comments Bruce Schneier included in his February 15 version of Cryptogram.

The post was about the Supreme Court’s recent decision in Herring v. U.S. 129 S.Ct. (U.S. Supreme Court 2009).

The facts in the case are very simple: a police officer did a warrant check on Bennie Herring to see if there were any outstanding warrants for his arrest. The officer checked with a warrant clerk who worked for the county and she said there was an active warrant for Herring’s failure to appear on a felony charge.

The clerk faxed a copy of the warrant to the officer. The officer found Herring and arrested him on the basis of the warrant; he also searched Herring under an exception to the 4th Amendment’s warrant rule called “search incident.” U.S. v. Herring, supra. As I explained in an earlier post, the exception is based on the premise that it’s reasonable to let an officer search a person he arrests for officer safety (find any weapons that could be used against the officer) and for the preservation of evidence (find any evidence on the person). In this case, the officer found methamphetamine and a pistol in Herring’s pocket. U.S. v. Herring, supra.

Herring was charged with possessing the drugs and the pistol, but moved to suppress the evidence. He pointed out that after the arrest, the officer learned that the warrant clerk had been wrong; the warrant the officer relied on in arresting Herring had been recalled, which meant it didn’t exist anymore. U.S. v. Herring, supra. Since it didn’t’ exist, the warrant didn’t justify the arrest.

Herring argued, quite reasonably, that the government shouldn’t be able to use the evidence it found during the search incident to what proved to be an invalid arrest. Basically, he was saying that since the officer really didn’t have a 4th Amendment justification for searching his pockets, the government shouldn’t be allowed to use what they found. U.S. v. Herring, supra. In other words, Herring argued that the exclusionary rule should apply here. As I assume we all know, the exclusionary rule is the device we use to enforce the 4th Amendment: If police violate the 4th Amendment, they can’t use the evidence they find; it’s excluded as a sanction, as a way of saying that police have to follow the 4th Amendment.

Herring lost. In an opinion by Chief Justice Roberts, the Court held that it was not appropriate to apply the exclusionary rule in this case because the officer did not deliberately violate the 4th Amendment. Justice Roberts noted that to “trigger the exclusionary rule, police conduct must be sufficiently deliberate that exclusion can meaningfully deter it”. U.S. v. Herring, supra. He explained that “the exclusionary rule serves to deter deliberate, reckless, or grossly negilgent conduct, or in some circumstances recurring or systemic negligence.” U.S. v. Herring, supra.

Since the conduct in this case was simply a goof up – an isolated instance of simple negligence – the Court did not think the application of the rule appropriate because there was no intentional conduct to deter. U.S. v. Herring, supra. To put it another way, the Court found that if police don’t know they’re violating the 4th Amendment, there’s no reason to exclude the evidence they obtain by doing so.

That brings me back to the Cryptogram post. Schneier notes that by not applying the exclusionary rule in this case, the Supreme Court “missed an important opportunity to motivate the police to purge errors from their databases.” Other comments in the post lead me (perhaps incorrectly, and if so, I apologize) to get the impression that Schneier thinks that ANY mistake will excuse police from having to comply with the exclusionary rule.

I’m going to assume I’m correct, and explain why I don’t think this is what the opinion actually does. I’m not a fan of Justice Roberts, but I don’t really think he’s off base in this opinion; I don’t think it will have the effect Schneier seems to assume it will have.

At the beginning of the substantive portion of his opinion, Justice Roberts notes that when

a probable-cause determination was based on reasonable but mistaken assumptions, the person subjected to a search or seizure has not necessarily been the victim of a constitutional violation. The very phrase `probable cause’ confirms that the Fourth Amendment does not demand all possible precision. . . . For purposes of deciding this case, however, we accept the parties' assumption that there was a Fourth Amendment violation. The issue is whether the exclusionary rule should be applied.

U.S. v. Herring, supra. I’m not sure why the Court did this, and to explain why I’m not sure I have to talk a bit about another 4th Amendment principle.

As I’ve explained before, the 4th Amendment creates a right to be free from “unreasonable” searches and seizures. An arrest is a seizure of a person, and going through an arrestee’s pockets is a search. To be reasonable, an arrest of a person – and the subsequent search incident of the person – has to be based on probable cause. A police officer can arrest a person in a public place if he/she has probable cause to believe the person committed a crime; the officer doesn’t need an arrest warrant. An officer only needs an arrest warrant to arrest someone in his home.

In the Herring case, the officer arrested him in a public place so the officer didn’t need an arrest warrant; the role of the warrant in this case was to give the officer probable cause to make the arrest. The officer mistakenly assumed the warrant was valid when it was not; that means the officer believed he had probable cause to arrest when he did not. So what we have is a mistake, as Justice Roberts noted in the passage quoted above.

The Supreme Court has for years held that if an officer makes a mistake, the mistake doesn’t violate the 4th Amendment unless the mistake itself was unreasonable. In Maryland v. Garrison, 480 U.S. 79 (1987), for example, police officers had a warrant to search the apartment belonging to a man named McWebb for drugs.. They knew the apartment was on the third floor of “the premises known as 2036 Park Avenue”; what they didn’t know was that there was two apartment on the third floor of that building.

When they got to the building, they ran into McWebb, who took them upstairs and let them into the locked door to the third floor apartment(s). When they entered, they saw Garrison standing in what proved to be a hallway between the two apartments; believing there was only a single apartment, the officers fanned out and started searching for drugs. Before they figured out there were two apartments – one of which belonged to Garrison – they found drugs in his apartment. Garrison was charged with and convicted of violating state drug laws based on what they found in his apartment. Garrison argued that the drugs should have been suppressed because the police had a warrant to search McWebb’s apartment, not his. Maryland v. Garrison, supra.The Supreme Court disagreed. It found that the officers made a mistake, but it also found that a “reasonable” mistake doesn’t violate the 4th Amendment. Remember, it only protects us from “unreasonable” mistakes.

This brings me back to the Schneier post: I think the Herring case is really a “mistake” case. Under Garrison, if the officer’s mistake in relying on what proved to be a recalled warrant was “reasonable,” then there was no 4th Amendment violation when he arrested Herring and conducted the search incident that turned up the pistol and drugs. The real issue is whether the mistake was reasonable. Maryland v. Garrison, supra.

In the Garrison case, the Court held that the officers’ mistake about their being only one apartment on the third floor of the Park Avenue building was reasonable. In so finding, it looked at what they had done to determine if there was one apartment on the third floor of the building. One officer checked with the local gas and electric company and was told that the bills for the apartment(s) on the third floor went to McWebb (only); they checked other records that showed McWebb lived on the third floor of the building and they looked at it from outside. (It apparently looked like there was only one apartment on the third floor when you looked at the building). The Supreme Court said they could have done more, but reasonable is not synonymous with perfection. The Court found that because the officers made a reasonable –though ultimately inadequate – effort to determine that there was only one apartment on the third floor, their mistake did not violate the 4th Amendment. Maryland v. Garrison, supra.

This brings me back to Schneier’s point: I don’t think the Herring case (especially when read in the light of the holding in the Garrison case) means that ANY mistake the police make (whether in relying on defective databases on in relying on their own inadequate investigations) will allow evidence obtained as a result of the investigation to be used in court. It looks to me (as I think it did to Justice Roberts) like the Herring case is really a Maryland v. Garrison mistake case: The officer who made the arrest reasonably though mistakenly believed the warrant was valid; the warrant clerk who told him there was a live warrant also reasonably – though again mistakenly – believed there was a live warrant, until she subsequently discovered otherwise.

Construed in this light, the Herring case stands for the proposition that police mistakes based on errors or inadequacies in the databases they use will not violate the 4th Amendment and will therefore not trigger the application of the exclusionary rule if the mistakes are “reasonable.” If I’m moving to suppress evidence obtained as the result of such a mistake, I can argue that the mistake was not reasonable, which means I will be relying on as much evidence as I can compile that shows the way the police maintained and operated the database was clearly inadequate. If the court agrees, it will apply the exclusionary rule and I’ll win. It’ll be up to the prosecutor to rebut my argument by coming up with evidence which shows that yes, they goofed up but the underlying structure and operation of the database was reasonable.

Tuesday, February 17, 2009

As Wikipedia explains, at English common law the hue and cry “was a process by which bystanders were summoned to assist in the apprehension of a criminal who had been witnessed in the act of committing a crime.”

The hue and cry was part of the system England used to enforce criminal law centuries ago, before professional police appeared (which began in the nineteenth century).

Once professional police became common in England and other countries (including the U.S.), people pretty much assumed they had no responsibility for helping enforce criminal law.

This post is about a recent instance . . . what was, in effect, a twenty-first century version of the old hue and cry.

Maybe you’ve seen some of the stories: a real (ahem) jerk kid in Oklahoma, assisted by his brother, beat and otherwise horribly abused a cat (Dusty), apparently their own pet. The jerk and his brother made a video of the abuse and posted in on YouTube, where it was seen by 30,000 people before it was removed. It seems some of those people were cat lovers who weren’t content just to look at the video.

Instead, they set out to find the jerk and his brother. From everything I’ve read, it was 4chan’s /b/ who tracked them down and posted names, address, parents’ names, phone numbers and, I think, other information online. They and/or other people also contacted the Sheriff’s office in Lawton, Oklahoma, where these jerks live.

The Sheriff has been (is being?) flooded with calls about the case, most of which I gather are demanding that the perpetrators be prosecuted. The Sheriff has been quoted as saying that the cat is alive and at a veterinarian’s and that his office is conducting an investigation and it will be up to the local prosecutor to decide if the guys should be charged. A story posted late last night said the jerks will meet with the local district attorney today, and may face charges of animal cruelty. (Personally, I hope they are, but that’s an aside having nothing to do with my real point.)

What I find professionally interesting about the popular reaction to what the jerks did is that it’s a twenty-first century hue and cry. Like the historical hue and cry, the pursuit and identification of the perpetrators was not something that was set in motion and overseen by professional law enforcement officers. It was, instead, the members of a community (a really big community in this instance) reacting to a crime they saw being committed.

This case differs from the traditional hue and cry in several ways. For one thing, the people who became involved in the hue and cry for the abuse of Dusty the cat did not actually see the abuse (the crime) taking place in real-time. Instead, they saw the video the jerks made of the crime; what they saw was not the crime as it was being committed but a recording of a crime that had already happened at some point in the past. I don’t see that this makes any difference; if you see a crime being committed in real-time or on a video and know the perpetrators are almost certainly still out there walking around, it seems to me that either should be sufficient to trigger public pursuit of the perpetrator(s).

Another difference lies in the composition of those involved in this modern hue and cry. I have no idea how many people were actually responsible for tracking these guys down, but I suspect it was a pretty small group. It seems, though, that a LOT of people were talking about the case online and calling for something to be done to find the abusers (and maybe save the cat). I think it’s reasonable to include those people in the hue and cry in this case; as I understand it, in the traditional hue and cry a lot of people might be involved in looking for the perpetrator, who might actually be caught by only a few. The point was to mobilize the entire community in the search for one who had committed a crime, and it seems to me we came pretty close to having that happen in this case.

That brings me back to the difference between the composition of the community involved in this hue and cry and the community that would be involved in a traditional English hue and cry. The community involved in the traditional English hue and cry would be the local people – the people in that village or other local geographical area. They were, after all, looking for a perpetrator who’d either be on foot or traveling by horse, which meant he couldn’t move that fast. Here, I’m getting the impression that the people involved in the Dusty the cat hue and cry were literally from all over the globe; I do not mean, of course, that the entire populace of the globe was involved. What I mean is that people from countries outside the U.S., as well as people from within the U.S., were involved in looking for the perpetrator and in calling for his apprehension. (I think even posting messages online calling for the jerks to be identified and caught would be part of the modern hue and cry because it encourages people – people who have the technical skills needed to do so – to do just that.)

I think this whole episode is pretty cool, and not just because I’m an animal lover who would like to see these jerks face some consequences for what they did. I think it’s interesting because of the underlying dynamic.

I’ve written a lot of law review articles and a book, in all of which I argue that we need to rethink how we handle law enforcement when it comes to online crimes. I know this one wasn’t an online crime: The crime was committed when the jerks abused the cat; the online component essentially consisted of their bragging about the crime they had already committed.

I think that still works for the point I’m making though; if you find out about a crime online and know that the perpetrators have not been identified and are still on the loose, it seems to me you have the basis for launching an online hue and cry, as was done in this case. It seems to me you would also have the basis for launching such an effort if you observed a crime while it was being committed online or discovered that a crime had been committed online after the fact, i.e., after the commission of the crime was completed.

Getting back to my point, in my articles and book I argue that the traditional, hierarchically-organized law enforcement model is not the optimum approach for dealing with networked crimes. As I explain, hierarchical organization is a good way to organize physical resources and personnel to handle tasks (law enforcement, war, building things, etc.) in the real, physical world. I argue that the virtual world is different in several respects, the combined effect of which is to make the hierarchical law enforcement model a less than optimum approach in many – if not most – instances. I’m not arguing for eliminating the traditional law enforcement model; we need it for the real world, at least for the foreseeable future, and it can still work in certain instances for online crimes.

What I argue in these articles – and here’s a link to one of them if you’re interested in reading more – is that we need to develop and implement fluid, lateral approaches that let us take advantage of the strengths of the virtual world. I think that’s what happened in the Dusty the cat case. It was a purely spontaneous movement – a modern hue and cry – that resulted in the identification and apprehension of the perpetrators in an amazingly short period of time. A crime was committed – one outraged at least a good portion of the online community – and the community reacted to see that it was addressed.

Had the 4chan people (and others, maybe) not done what they did, this incident might well have gone unaddressed. It might never have come to the attention of local police; if it had, they might well not have done much about it. The combined effect of the efforts of the people who identified these jerk kids plus what seems to be ongoing calls for the local law enforcement people to do something about this just might result in the jerks facing some kind of sanction.

That would be appropriate. As I tell my students, criminal law has several purposes: One is deterrence; when we find people who’ve committed crimes, we punish them to deter them from repeating their crimes and to deter others from committing the same crime for fear that they’ll get the same punishment. The other function of criminal law is denunciation: By sanctioning someone – like these jerks – we send the message that society doesn’t like and won’t tolerate this kind of activity.

I’m going to quit before I really get on soapbox. Before I do, though, I want to note one error I’ve seen in some of the stories that have appeared about this case.

Some of the stories refer to what the 4chan people (and others?) did as vigilantism. In other words, they’re calling these guys vigilantes. They are not. As I’ve explained before, a vigilante is someone who takes the law into his/her own hands. That doesn’t mean they just track down someone who committed a crime; to be a vigilante, you don’t just act as an investigator – as a law enforcement officer. You act as judge, jury and executioner. The people who tracked down the jerk kids in this case did not do that; they made sure the information that identified the kids got to law enforcement, and that is not vigilantism. It’s pretty much the hue and cry . . . which, as I said, I think is cool.

Monday, February 16, 2009

This post is about a perfectly logical – but completely wrong – argument a defendant made in moving to suppress evidence in a criminal case. The case is U.S. v. Christie, 570 F. Supp.2d 657 (U.S. District Court for the District of New Jersey 2008).

Basically, Christie was charged with multiple counts of possessing, receiving and advertising child pornography, all in violation of federal law.

The charges arose from an FBI investigation that focused, in part, on images of child pornography posted on a NAMGLA (which the court’s opinion says is an acronym for North American Man Girl Love Association) website by a user identifying himself as “franklee.” U.S. v. Christie, supra. FBI agents were apparently able to trace franklee by using the IP address linked to the postings; the agents apparently got the subscriber information linking Christie to the IP address by getting information from his ISP. U.S. v. Christie, supra.

After being charged, Christie filed several motions to suppress the evidence the agents found at his home, one of which focused on how they found out who he was and where he lived. According to the court, Christie claimed he had a “legitimate expectation of privacy in his Internet subscriber information such that the Government violated the Fourth Amendment by learning, absent a warrant or other appropriate procedures, the identity of the person utilizing the IP address associated with the anonymous online name of `franklee.’” U.S. v. Christie, supra.

Christie based his argument that he had a Fourth Amendment expectation of privacy in his subscriber information on a New Jersey appellate court decision: State v. Reid, 389 N.J. Super. 563, 914 A.2d 310 (Appellate Division of the Superior Court of New Jsersey 2007). As the federal district court ruling on Christie’s motion to suppress explained, “the Appellate Division of the Superior Court of New Jersey held, in Reid, that New Jersey citizens have `an expectation of privacy under [the] State Constitution with respect to this identifying information’ associated with an IP address.” U.S. v. Christie, supra.

What Christie didn’t (or couldn't) know is that the New Jersey Supreme Court also heard the Reid case and also held that New Jersey citizens have an expectation of privacy in their Internet subscriber information. I did a blog post on the New Jersey Supreme Court’s opinion last year; you can check it out if you want to know more about what they said. I don’t know if Christie hadn’t heard about that decision or if it hadn’t issued when he filed his motion to suppress. It would have strengthened his argument but, as I noted earlier, that really wouldn’t have mattered because his argument was doomed from the outset.

Remember, Christie is being prosecuted in federal court by federal prosecutors. The decision of the Appellate Division of the Supreme Court of New Jersey (and the New Jersey Supreme Court’s opinion) in the Reid case held that New Jersey citizens have an expectation of privacy in the kind of subscriber information the FBI agents used to find Christie. Therefore, if the agents had been New Jersey law enforcement agents, they could not have simply (which seems to be what happened . . . it isn’t clear from this opinion but that seems to have been the case) have contacted the ISP linked to the IP address and found out what address it was associated with. Instead, they would have had to get a search warrant (Appellate Division) or a grand jury subpoena (New Jersey Supreme Court). Either way, what they did would have violated . . . New Jersey law.

Americans live in a federal system. That is, we live in a two-tiered legal system: We are governed by the law of the state (or the District of Columbia) we live in and by federal law. Each set of laws – that is, the laws of each state and the laws of the federal system – are distinct. The law as decided by a New Jersey state court applies in New Jersey state court proceedings; it does not apply in federal proceedings, even if they are taking place in the territory of the state of New Jersey. As the Christie court explained, the

Appellate Division expressly noted that federal courts have `uniformly’ held that `internet subscribers have no right of privacy under the Fourth Amendment with respect to identifying information on file with their internet service providers.’ . . . [T]he Supreme Court of New Jersey subsequently affirmed the Appellate Division, and also noted that `[f]ederal case law interpreting the Fourth Amendment has found no expectation of privacy in Internet subscriber information . . . [and] [t]he logic of those precidents extends to subscriber information revealed to an ISP’ . . This federal Court declines to ignore the unanimous decision of every other federal court to have addressed this issue by adopting the . . . interpretation of the Supreme Court of New Jersey, which . . .distinguishes the protection afforded under the state constitution from that of the federal Constitution. Therefore, this Court holds that Mr. Christie does not have a legitimate expectation of privacy in the information associated with his IP address.

U.S. v. Christie, supra.

In other words, the only way the two New Jersey appellate courts (Appellate Division and Supreme Court) could hold that New Jersey residents have an expectation of privacy in their Internet use and subscriber records is to base that holding on the New Jersey state constitution. The U.S. Supreme Court has held that state supreme courts are the masters of their state constitutions; they are free to construe those constitutions as providing more protection for their citizens than does the U.S. Constitution (which is interpreted by the U.S. Supreme Court). The U.S. Supreme Court is the ultimate arbiter of the U.S. Constitution; state supreme courts are the ultimate arbiters of their respective state constitutions . . . and the two systems operate completely independently of each other.

This doesn’t mean a state supreme court can’t consider the U.S. Supreme Court’s decisions or reasoning in deciding how to construe its state constitution, or vice versa. It does mean that the precedential effect of a state supreme court’s decision is limited to cases brought under the law of that state; courts in other states, and even federal courts, can cite the rationale a state supreme court used as an example of good reasoning.

A federal court can say, in effect, “This is what the State Supreme Court of X said in ruling on this issue. We think their analysis is sound and, since this isn’t a federal constitutional or federal statutory issue, we’re going to apply their rationale in deciding the issue before us.” So, for example, a federal court might be faced with having to decide how a particular criminal term – “damage” or “malice”, say – should be construed. If there’s no guidance on the issue in federal statues or federal court decisions, then a federal court may well look to see how state courts have dealt with that issue; if it finds a decision with reasoning it likes, it may cite that reasoning, but not as precedent. It simply cites it as the source of the conclusion it’s going to reach.

But that’s not what was going on in the Christie case. Mr. Christie had the misfortune of mixing his legal metaphors: He tried to use a state court’s decision as precedent in a federal case, which just won’t work. As a result, he lost.

Friday, February 13, 2009

This is not a post that's going to resolve an issue of law or policy related to computer crime. It's a post in which I'm trying to work through an issue that came to my attention recently.

More precisely, it’s a rumination on the notion of “damage” to computers; more precisely, it’s a rumination on the notion of “damage” to computers as the term is used in cybercrime statutes.

The post (and rumination) was prompted by a conversation I had with a European cybercrime expert who’s a visiting scholar at my law school this term. We were talking about cybercrime and “damage” and he said that some, at least, European countries criminalize the infliction of (i) damage to data and (ii) damage to a computer, as such.

I found that an intriguing idea, since our cybercrime cases (and those I’ve seen from abroad) usually focus on damage to data. Maybe that’s just a function of the motives that prompt people to commit cybercrimes: They commit cybercrime to steal, to extort money or other property, to alter data for some criminal purpose, and to delete data for the same purpose. So maybe my implicit assumption that “damage” in the context of target cybercrimes – cybercrimes that target a computer or computer data, rather than a person – refers to the alteration, deletion or copying of data, not to actually damaging a computer, as such.

My conversation with our visiting scholar made me think about two issues: One is whether it is possible to use cyberspace to physically damage computer hardware; the other issue arises only if we decide that it is, in fact, possible to use cyberspace to damage computer hardware. This issue is whether, given that possibility, we need specific cybercrime statutes that make it a crime to damage computer hardware, since arguably such damage could be prosecuted under a general criminal property damage statute.

I did find statutes that seem to incorporate the distinction our visiting scholar noted. The German Penal Code has different statutes dealing with damage to data and damage to a computer. Section 303a of the German Penal Code makes it a crime to delete, suppress, render unusable or alter data. Section 303b makes it a crime to interfere “with data processing which is of substantial significance to the business or enterprise of another or a public authority by” doing either of two things: The first is violating § 303a of the German Penal Code. The second is “destroying, damaging, rendering unusable, removing or altering a data processing system or a data carrier”. So it looks like § 303b criminalizes the act of damaging a computer system which, I assume, encompasses causing physical damage to the system.

That brings me back to the first issue I noted above: Is it possible to use signals transmitted via cyberspace to cause physical damage to computer hardware? The general federal cybercrime statute – 18 U.S. Code § 1030 – seems to encompass physical damage to a computer. Section 1030(e)(8) defines the term “damage” as used in the statute as “any impairment to the integrity or availability of data, a program, a system, or information”. That definition obviously encompasses damage to data, but the reference to impairing the integrity of a system might be construed as criminalizing the act of causing physical damage to a computer or computer system.

I can’t find any reported U.S. cases that specifically address this issue. (That doesn't mean cases don't exist; it means they haven't been published by a law reporting service like Westlaw or Lexis.) The issue of physical damage to a computer arises in a few civil cases involving insurance claims for physical damage to a computer or computer system.

In a case from 2000, a federal court held that a company’s computer system sustained direct physical damage because “`physical damage” is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality.” American Guarantee & Liability Insurance Co. v. Ingram Micro, Inc., 2000 WL 726789 (U.S. District Court for the District of Arizona 2000). Another court dealing with a similar issue found that “one cannot suffer direct physical loss to computer data without corresponding physical damage to a computer system.” Greco & Trafficante V. Fidelity & Guaranty Insurance Co., 2009 WL 162068 (California Court of Appeals 2009).

I also found a Washington state statute that defines “physical damage” in the context of computers. Here’s what it says:

`Physical damage" in addition to its ordinary meaning, shall include the total or partial alteration, damage, obliteration, or erasure of records, information, data, computer programs, or their computer representations, which are recorded for use in computers or the impairment, interruption, or interference with the use of such records, information, data, or computer programs, or the impairment, interruption, or interference with the use of any computer or services provided by computers.

Washington Revised Code § 9A.48.100(1). I found a Washington Court of Appeals case that cites this statute and then notes that the “ordinary meaning of `damage’ is injury or harm to property.” State v. Norng, 2007 WL 743245 (Washington Court of Appeals 2007). So I guess under this statute, “physical damage” to computer hardware means “injury or harm” to the property, not that this really gets us anywhere.

Finally, I found an article in an ABA journal which quotes a lawyer “who specializes in technology issues” as saying that in “criminal law, . . . individuals who are hackers or install malicious code on computers `damage’ the physical computer because the hard drive is changed.” Hope Viner Samborn, AOL's Insurance Company is Off the Hook for Version 5.0 Damages, ABA Journal EReport (2002). Maybe that answers the question; maybe, as the Greco & Trafficante court said, you can’t have damage to data without also having physical damage to computer hardware.

That brings me to the second issue I noted much earlier in this post: If it is possible to use signals/data transmitted via cyberspace to cause damage to computer hardware, do we really need computer-specific damage statutes?

Assuming this is possible, couldn’t we simply prosecute someone who did this under a general criminal property damage statute? The Kansas criminal damage to property statute, for example, makes it a crime to intentionally injure, damage, mutilate, deface, destroy, or substantially impair “the use of any property in which another has an interest without the consent of” that person. Kansas Statutes § 21-3720(a)(1).

As I said, this post is inconclusive. I’ll think about these issues some more, do some more research and see if I can come up with any answers. Maybe the answer is very simply: Maybe I’m completely off base and there really aren’t any live issues here.

Wednesday, February 11, 2009

I’m indebted to Sigmund, News Editor for SLentrepreneur Magazine, for calling this to my attention:The Nevada legislature is debating a bill that would let Nevada authorities prosecute people who simply view child pornography online.

Currently, Nevada like most, if not all, U.S. states only makes it a crime to produce, distribute and/or possess child pornography.This has meant that for states to prosecute someone who says they looked but did not download child pornography they have to rely on cache files on the person’s computer; what usually happens in these cases is that the defendant says he only meant to look and didn’t realize that his Internet browser was caching the images he looked at.

Basically, courts have held that if the defendant knew his browser was caching the image files, he is guilty of possessing child pornography.The premise is that while he didn’t intentionally download the images, he knew his computer was, in fact, downloading them as he looked at them.So, several courts have held that’s enough.

That still creates a problem – at least for prosecutors – when it comes to someone who did exactly the same thing (meant to view only, viewed, browser still cached image files) but didn’t realize the browser cached the images files.Some courts have held that the person can’t be convicted of possessing child pornography in this instance because he didn’t realize he was acquiring possession of the images; he thought he was simply looking.

The Nevada bill would change that by adding a fourth option to the three (producing, distributing and possessing child pornography) we already have.The fourth option is viewing – looking at – child pornography online.The story I read on the Nevada bill also says the new legislation, if passed, would let Nevada prosecutors charge those who view child pornography in Second Life and, presumably, other virtual worlds.The article includes comments from opponents of the bill who, IMHO, make some good points.Basically, prosecuting someone for simply viewing could lead to absurd and unjust results; as one of the opponents notes, it could mean that someone who accidentally clicks on a link that takes him/her to child pornography could be prosecuted for the act of (unintentionally) viewing it.

The article also quotes proponents of the bill who say, probably correctly, that in deciding whether or not to charge someone for viewing child pornography, law enforcement would take into account evidence showing that their viewing was accidental or otherwise unintentional.The proponents say that police would, for example, look at the history of the pages the person viewed to see if it looks like he/she was actively seeking out child pornography (lots and lots of images in the cache file) or merely stumbled onto it (few images in the cache file).I think that’s probably true; I’ve heard similar comments from law enforcement officers referring to whether or not they’d pursue charges under the viewing-and-caching-images-files-as-possession theory.Still, though, relying on prosecutorial discretion is unnerving, especially when we’re talking about a crime that carries very heavy penalties and a great deal of social stigma.

You may think what Nevada is considering is a complete aberration in the laws criminalizing child pornography, but it isn’t.Canada has, for some years, had a statue that makes it a crime to view child pornography.Section 163.1(4.1) of the Canadian Criminal Code makes it a crime to “access” child pornography.Section 163.1(4.2) of the Criminal Code says that “a person accesses child pornography who knowingly causes child pornography to be viewed by, or transmitted to, himself or herself.”So Canada has for years had 4 child pornography offenses:accessing, possessing, distributing and creating child pornography.Now the U.S. is following suit.

Nevada isn’t the first U.S. jurisdiction to follow Canada’s example. On October 8, 2008, Public Law 110-358 went into effect, having been enacted by Congress and signed by then-President Bush.Public Law 110-358 did a number of things, one of which was to insert new language in several sections of 18 U.S. Code § 2252; section 2252 criminalizes “certain activities relating to material involving the sexual exploitation of minors” (or child pornography).

Specifically, § 203 of Public Law 110-358 added the underlined language to 18 U.S. Code § 2252(a)(4):

[Any person who] either--

(A) in the special maritime and territorial jurisdiction of the United States. . .knowingly possesses, or knowingly accesses with intent to view, 1 or more books, magazines, periodicals, films, video tapes, or other matter which contain any visual depiction; or

(B) knowingly possesses, or knowingly accesses with intent to view, 1 or more books, magazines, periodicals, films, video tapes, or other matter which contain any visual depiction that has been mailed, or has been shipped or transported using any means or facility of interstate or foreign commerce or in or affecting interstate or foreign commerce, or which was produced using materials which have been mailed or so shipped or transported, by any means including by computer, if--

(i) the producing of such visual depiction involves the use of a minor engaging in sexually explicit conduct; and

(ii) such visual depiction is of such conduct;

shall be punished as provided in subsection (b) of [§ 2252].

Section 203 of Public Law 110-358 added essentially identical language to 18 U.S. Code § 2252A, which also criminalizes the “certain activities relating to” child pornography.

As a result, it’s now a federal crime to look at child pornography online.The Nevada legislature is simply considering whether that state wants to jump on the “viewing child pornography” bandwagon.

As you can maybe tell, I’m not really a fan of the fourth option.I abhor real child pornography (child pornography the creation of which involved children) and am very much in favor of prosecuting those who create and distribute it (especially those who create it).And I have no problem with prosecuting those who possess it, at least not in terms of making possession of child pornography a crime.

The rationale behind criminalizing possession of child pornography seems logical and therefore valid:If you prosecute the users, you help dry up the market.My only reservation as to prosecuting people for possession concerns the efficacy of prosecuting those who possess child pornography; prosecuting those who possess drugs doesn’t seem to have dried up the drug trade, so I wonder if it will have a great deal of impact on the child pornography industry.I wonder sometimes if our criminal justice systems (state and federal) don’t concentrate on prosecuting those who possess child pornography because it can be difficult to find the really, really bad guys . . . the ones who create and distribute it.But I could be way off base there; it’s happened before.

Monday, February 09, 2009

I did a post not long ago about the possibility of using computer technology to commit murder.

David Schumann, a Wisconsin lawyer and proprietor of the GPS Evidence Issues blog, recently sent me an email suggesting a new and pretty devious way to commit computer murder.

He pointed out that in an era of remote surgery, “simply reprogramming the depth of a cut to be made could look like a bad accident, when it was really murder.” I found that a very intriguing suggestion so, knowing absolutely nothing about remote surgery, I checked it out.

Remote surgery . . . is the ability for a doctor to perform surgery on a patient even though they are not physically in the same location. It is a form of telepresence. Remote surgery combines elements of robotics, . . . communication technology such as high-speed data connections and elements of management information systems. . . . Remote surgery is essentially advanced telecommuting for surgeons, where the physical distance between the surgeon and the patient is immaterial. It promises to allow the expertise of specialized surgeons to be available to patients worldwide, without the need for patients to travel beyond their local hospital.

It’s apparently been around at least since 2001.

The Wikipedia entry also points out another type of surgery – unassisted robotic surgery – that might, at least theoretically, be exploited to commit murder:

As the techniques of expert surgeons are studied and stored in special computer systems, robots might one day be able to perform surgeries with . . . no human input. Carlo Pappone, an Italian surgeon, has developed a software program that uses data collected from several surgeons and thousands of operations to perform the surgery without human intervention.

I can’t find any cases dealing with remote surgery issues, but there are at least two law review articles specifically dedicated to what they call “cybersurgery.” Both give scenarios in which telecommunication or other glitches result in the patient’s either dying on the operating room table or suffering some kind of injury. I can’t find any discussion of the obvious possibility of hacking a remote surgery and making it look like a technical glitch caused the patient’s death when, in fact, it was homicide.